...
- ONAP SBOM status - https://wiki.onap.org/display/DW/Software+Bill+of+Materials – Pawel/Amy
- Still WIP. Expecting to generate SBOM soon
- Started with existing set of NTIA requirements
- Focusing on SPDX format provides ~85% of the minimum required BOM. Might require some manual work to complete.
- Working on making the SPDX task part of the CI chain.
- Q: What are the disadvantages of CycloneDX? A: Failed to extract information in some cases. SPDX seems to be more successful. Also, some operators may required SPDX format for the BOM.
- There are tools that can generate different formats of SBOM and translate between formats. Different customers may require different formats.
- Q: Are there CI plugins (specifically for Maven) that can trigger generating the SBOM? Jessica Wagantall may have some such configurations available. Robert Vargawill reach out.
- Q: How is signature related to SBOM? A: There is a standard methodology in the LF. ONAP is following that. It is mandated by mavenCentral.
- Anuket SBOM work - https://github.com/cntt-n/CNTT/blob/master/doc/ref_model/chapters/chapter07.md#77-open-source-software-security - Karine
- Started with the NTIA document. analyzed SPDX as well. SWID Tags came up in the analysis as well.
- At this point planning to come up with recommendation only, no requirement yet.
- Muddasar Ahmed - Generating the SBOM should become transparent to developers and project leaders.
- The document linked above is planned to be a living document reflecting recent evolution of SBOM specifications. May include more prescriptive requirements for tools and process.
- Muddasar Ahmed - SPDX 3.0 specifications will most likely be accompanied by a 3.0 version of the SPDX tool.
- Using Scancode.io for Docker image license and vulnerability scanning -https://static.sched.com/hosted_files/onesummit2021/78/one2021.pdf - Ranny
- recent NTIA recommendations for SBOM. They are quickly becoming de facto standards -https://www.ntia.doc.gov/report/2021/minimum-elements-software-bill-materials-sbom - Amy
- Minimum requirements are already out - 10 fields - name, URL, etc.
- More fields are in the works. There seem to be alignment between NTIA specification and SPDX.
- There are external details in the NTIA specifications, some are ambiguous.
- US entities may be required (by a US executive order from may 2021) to be aware of their software composition. SBOM may soon become part of RFCs issued by such companies.
- Q&A
- Next stepsBest practices discussion
- Add links to ONAP page and presentation.
- Robert Varga - Add information received from Jessica regarding automation scripts
- Muddasar Ahmed , Pawel Pawlak - Will add a session to the Jan-2022 developer forum.
Recording: